What's Behind Drop in 2007 Vulnerability Counts?

For the first time since people started keeping track of this stuff, 2007 saw a noticeable decline in publicly reported security vulnerabilities.

In fact, according to data from IBM ISS X-Force, there was a 5.4 percent decline in new vulnerability disclosures from the previous year, a drop that could represent an anomaly, a statistical correction or a new trend in the amount of disclosures.

Here's the chart:

As you can see, 2005 and 2006 saw huge jumps (approximately 41 percent each year) that were well above the historical average (27 percent a year), according to X-Force internal statistics.

Although there was a decrease in overall vulnerabilities, the company said high priority vulnerabilities increased by 28 percent, suggesting that researchers could simply be focusing on the sometimes more difficult, high-priority finds.

I think what we're seeing here is how much the third-party brokers that buy flaws (and sometimes coordinate disclosure) are influencing the way vulnerabilities get reported and fixed by affected vendors.